hello ,everyone.
I have read doc https://docs.splunk.com/Documentation/Splunk/7.2.5/Alert/EmailNotificationTokens
I noticed the token $job. resultCount $
can count number of alert results, but I wanted to get the total number of events in the search results.
for example:
index = ids eventtype=ids_attack |stats count by signature_id
because I use stats count by signature_id
, the search returned 20 results. the total number of events is 500.
so If I used token $job. resultCount $
in the alert, the alert message would tell me 20 results, but in fact, I want to get the total number of events (500 events), which is equivalent to the result count of the following search
index = IDS eventtype = ids_attack
To avoid creating two alerts, I want to ask if there is a way to get the total number of events?
@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.
Do this:
index = ids eventtype=ids_attack | eventstats count |stats count first(count) AS _totalCount BY signature_id
Then use $results._totalCount$
for your token.
@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.
@niketnilay thank you~ please convert your comment to answer, I will accept your reply
@bestSplunker I am glad you found the answer useful. I have converted my comment to answer, so that you can mark the same as accepted.
@bestSplunker
Can you please try this?
index = ids eventtype=ids_attack | eventstats count as total_event |stats count values(total_event) as total_event by signature_id
@kamlesh_vaghela I hope to implement it in a token way